1 /*- 2 * Copyright (c) 2001 Charles Mott <cm@linktel.net> 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27 #include <sys/cdefs.h> 28 __FBSDID("$FreeBSD$"); 29 30 /* 31 Alias_ftp.c performs special processing for FTP sessions under 32 TCP. Specifically, when a PORT/EPRT command from the client 33 side or 227/229 reply from the server is sent, it is intercepted 34 and modified. The address is changed to the gateway machine 35 and an aliasing port is used. 36 37 For this routine to work, the message must fit entirely into a 38 single TCP packet. This is typically the case, but exceptions 39 can easily be envisioned under the actual specifications. 40 41 Probably the most troubling aspect of the approach taken here is 42 that the new message will typically be a different length, and 43 this causes a certain amount of bookkeeping to keep track of the 44 changes of sequence and acknowledgment numbers, since the client 45 machine is totally unaware of the modification to the TCP stream. 46 47 48 References: RFC 959, RFC 2428. 49 50 Initial version: August, 1996 (cjm) 51 52 Version 1.6 53 Brian Somers and Martin Renters identified an IP checksum 54 error for modified IP packets. 55 56 Version 1.7: January 9, 1996 (cjm) 57 Differential checksum computation for change 58 in IP packet length. 59 60 Version 2.1: May, 1997 (cjm) 61 Very minor changes to conform with 62 local/global/function naming conventions 63 within the packet aliasing module. 64 65 Version 3.1: May, 2000 (eds) 66 Add support for passive mode, alias the 227 replies. 67 68 See HISTORY file for record of revisions. 69 */ 70 71 /* Includes */ 72 #ifdef _KERNEL 73 #include <sys/param.h> 74 #include <sys/ctype.h> 75 #include <sys/systm.h> 76 #include <sys/kernel.h> 77 #include <sys/module.h> 78 #else 79 #include <errno.h> 80 #include <sys/types.h> 81 #include <stdio.h> 82 #include <string.h> 83 #endif 84 85 #include <netinet/in_systm.h> 86 #include <netinet/in.h> 87 #include <netinet/ip.h> 88 #include <netinet/tcp.h> 89 90 #ifdef _KERNEL 91 #include <netinet/libalias/alias.h> 92 #include <netinet/libalias/alias_local.h> 93 #include <netinet/libalias/alias_mod.h> 94 #else 95 #include "alias_local.h" 96 #include "alias_mod.h" 97 #endif 98 99 #define FTP_CONTROL_PORT_NUMBER 21 100 101 static void 102 AliasHandleFtpOut(struct libalias *, struct ip *, struct alias_link *, 103 int maxpacketsize); 104 105 static int 106 fingerprint(struct libalias *la, struct ip *pip, struct alias_data *ah) 107 { 108 109 if (ah->dport == NULL || ah->sport == NULL || ah->lnk == NULL || 110 ah->maxpktsize == 0) 111 return (-1); 112 if (ntohs(*ah->dport) == FTP_CONTROL_PORT_NUMBER 113 || ntohs(*ah->sport) == FTP_CONTROL_PORT_NUMBER) 114 return (0); 115 return (-1); 116 } 117 118 static int 119 protohandler(struct libalias *la, struct ip *pip, struct alias_data *ah) 120 { 121 122 AliasHandleFtpOut(la, pip, ah->lnk, ah->maxpktsize); 123 return (0); 124 } 125 126 struct proto_handler handlers[] = { 127 { 128 .pri = 80, 129 .dir = OUT, 130 .proto = TCP, 131 .fingerprint = &fingerprint, 132 .protohandler = &protohandler 133 }, 134 { EOH } 135 }; 136 137 static int 138 mod_handler(module_t mod, int type, void *data) 139 { 140 int error; 141 142 switch (type) { 143 case MOD_LOAD: 144 error = 0; 145 LibAliasAttachHandlers(handlers); 146 break; 147 case MOD_UNLOAD: 148 error = 0; 149 LibAliasDetachHandlers(handlers); 150 break; 151 default: 152 error = EINVAL; 153 } 154 return (error); 155 } 156 157 #ifdef _KERNEL 158 static 159 #endif 160 moduledata_t alias_mod = { 161 "alias_ftp", mod_handler, NULL 162 }; 163 164 #ifdef _KERNEL 165 DECLARE_MODULE(alias_ftp, alias_mod, SI_SUB_DRIVERS, SI_ORDER_SECOND); 166 MODULE_VERSION(alias_ftp, 1); 167 MODULE_DEPEND(alias_ftp, libalias, 1, 1, 1); 168 #endif 169 170 #define FTP_CONTROL_PORT_NUMBER 21 171 #define MAX_MESSAGE_SIZE 128 172 173 /* FTP protocol flags. */ 174 #define WAIT_CRLF 0x01 175 176 enum ftp_message_type { 177 FTP_PORT_COMMAND, 178 FTP_EPRT_COMMAND, 179 FTP_227_REPLY, 180 FTP_229_REPLY, 181 FTP_UNKNOWN_MESSAGE 182 }; 183 184 static int ParseFtpPortCommand(struct libalias *la, char *, int); 185 static int ParseFtpEprtCommand(struct libalias *la, char *, int); 186 static int ParseFtp227Reply(struct libalias *la, char *, int); 187 static int ParseFtp229Reply(struct libalias *la, char *, int); 188 static void NewFtpMessage(struct libalias *la, struct ip *, struct alias_link *, int, int); 189 190 static void 191 AliasHandleFtpOut( 192 struct libalias *la, 193 struct ip *pip, /* IP packet to examine/patch */ 194 struct alias_link *lnk, /* The link to go through (aliased port) */ 195 int maxpacketsize /* The maximum size this packet can grow to 196 (including headers) */ ) 197 { 198 int hlen, tlen, dlen, pflags; 199 char *sptr; 200 struct tcphdr *tc; 201 int ftp_message_type; 202 203 /* Calculate data length of TCP packet */ 204 tc = (struct tcphdr *)ip_next(pip); 205 hlen = (pip->ip_hl + tc->th_off) << 2; 206 tlen = ntohs(pip->ip_len); 207 dlen = tlen - hlen; 208 209 /* Place string pointer and beginning of data */ 210 sptr = (char *)pip; 211 sptr += hlen; 212 213 /* 214 * Check that data length is not too long and previous message was 215 * properly terminated with CRLF. 216 */ 217 pflags = GetProtocolFlags(lnk); 218 if (dlen <= MAX_MESSAGE_SIZE && !(pflags & WAIT_CRLF)) { 219 ftp_message_type = FTP_UNKNOWN_MESSAGE; 220 221 if (ntohs(tc->th_dport) == FTP_CONTROL_PORT_NUMBER) { 222 /* 223 * When aliasing a client, check for the PORT/EPRT command. 224 */ 225 if (ParseFtpPortCommand(la, sptr, dlen)) 226 ftp_message_type = FTP_PORT_COMMAND; 227 else if (ParseFtpEprtCommand(la, sptr, dlen)) 228 ftp_message_type = FTP_EPRT_COMMAND; 229 } else { 230 /* 231 * When aliasing a server, check for the 227/229 reply. 232 */ 233 if (ParseFtp227Reply(la, sptr, dlen)) 234 ftp_message_type = FTP_227_REPLY; 235 else if (ParseFtp229Reply(la, sptr, dlen)) { 236 ftp_message_type = FTP_229_REPLY; 237 la->true_addr.s_addr = pip->ip_src.s_addr; 238 } 239 } 240 241 if (ftp_message_type != FTP_UNKNOWN_MESSAGE) 242 NewFtpMessage(la, pip, lnk, maxpacketsize, ftp_message_type); 243 } 244 /* Track the msgs which are CRLF term'd for PORT/PASV FW breach */ 245 246 if (dlen) { /* only if there's data */ 247 sptr = (char *)pip; /* start over at beginning */ 248 tlen = ntohs(pip->ip_len); /* recalc tlen, pkt may 249 * have grown */ 250 if (sptr[tlen - 2] == '\r' && sptr[tlen - 1] == '\n') 251 pflags &= ~WAIT_CRLF; 252 else 253 pflags |= WAIT_CRLF; 254 SetProtocolFlags(lnk, pflags); 255 } 256 } 257 258 static int 259 ParseFtpPortCommand(struct libalias *la, char *sptr, int dlen) 260 { 261 char ch; 262 int i, state; 263 u_int32_t addr; 264 u_short port; 265 u_int8_t octet; 266 267 /* Format: "PORT A,D,D,R,PO,RT". */ 268 269 /* Return if data length is too short. */ 270 if (dlen < 18) 271 return (0); 272 273 addr = port = octet = 0; 274 state = -4; 275 for (i = 0; i < dlen; i++) { 276 ch = sptr[i]; 277 switch (state) { 278 case -4: 279 if (ch == 'P') 280 state++; 281 else 282 return (0); 283 break; 284 case -3: 285 if (ch == 'O') 286 state++; 287 else 288 return (0); 289 break; 290 case -2: 291 if (ch == 'R') 292 state++; 293 else 294 return (0); 295 break; 296 case -1: 297 if (ch == 'T') 298 state++; 299 else 300 return (0); 301 break; 302 303 case 0: 304 if (isspace(ch)) 305 break; 306 else 307 state++; 308 case 1: 309 case 3: 310 case 5: 311 case 7: 312 case 9: 313 case 11: 314 if (isdigit(ch)) { 315 octet = ch - '0'; 316 state++; 317 } else 318 return (0); 319 break; 320 case 2: 321 case 4: 322 case 6: 323 case 8: 324 if (isdigit(ch)) 325 octet = 10 * octet + ch - '0'; 326 else if (ch == ',') { 327 addr = (addr << 8) + octet; 328 state++; 329 } else 330 return (0); 331 break; 332 case 10: 333 case 12: 334 if (isdigit(ch)) 335 octet = 10 * octet + ch - '0'; 336 else if (ch == ',' || state == 12) { 337 port = (port << 8) + octet; 338 state++; 339 } else 340 return (0); 341 break; 342 } 343 } 344 345 if (state == 13) { 346 la->true_addr.s_addr = htonl(addr); 347 la->true_port = port; 348 return (1); 349 } else 350 return (0); 351 } 352 353 static int 354 ParseFtpEprtCommand(struct libalias *la, char *sptr, int dlen) 355 { 356 char ch, delim; 357 int i, state; 358 u_int32_t addr; 359 u_short port; 360 u_int8_t octet; 361 362 /* Format: "EPRT |1|A.D.D.R|PORT|". */ 363 364 /* Return if data length is too short. */ 365 if (dlen < 18) 366 return (0); 367 368 addr = port = octet = 0; 369 delim = '|'; /* XXX gcc -Wuninitialized */ 370 state = -4; 371 for (i = 0; i < dlen; i++) { 372 ch = sptr[i]; 373 switch (state) { 374 case -4: 375 if (ch == 'E') 376 state++; 377 else 378 return (0); 379 break; 380 case -3: 381 if (ch == 'P') 382 state++; 383 else 384 return (0); 385 break; 386 case -2: 387 if (ch == 'R') 388 state++; 389 else 390 return (0); 391 break; 392 case -1: 393 if (ch == 'T') 394 state++; 395 else 396 return (0); 397 break; 398 399 case 0: 400 if (!isspace(ch)) { 401 delim = ch; 402 state++; 403 } 404 break; 405 case 1: 406 if (ch == '1') /* IPv4 address */ 407 state++; 408 else 409 return (0); 410 break; 411 case 2: 412 if (ch == delim) 413 state++; 414 else 415 return (0); 416 break; 417 case 3: 418 case 5: 419 case 7: 420 case 9: 421 if (isdigit(ch)) { 422 octet = ch - '0'; 423 state++; 424 } else 425 return (0); 426 break; 427 case 4: 428 case 6: 429 case 8: 430 case 10: 431 if (isdigit(ch)) 432 octet = 10 * octet + ch - '0'; 433 else if (ch == '.' || state == 10) { 434 addr = (addr << 8) + octet; 435 state++; 436 } else 437 return (0); 438 break; 439 case 11: 440 if (isdigit(ch)) { 441 port = ch - '0'; 442 state++; 443 } else 444 return (0); 445 break; 446 case 12: 447 if (isdigit(ch)) 448 port = 10 * port + ch - '0'; 449 else if (ch == delim) 450 state++; 451 else 452 return (0); 453 break; 454 } 455 } 456 457 if (state == 13) { 458 la->true_addr.s_addr = htonl(addr); 459 la->true_port = port; 460 return (1); 461 } else 462 return (0); 463 } 464 465 static int 466 ParseFtp227Reply(struct libalias *la, char *sptr, int dlen) 467 { 468 char ch; 469 int i, state; 470 u_int32_t addr; 471 u_short port; 472 u_int8_t octet; 473 474 /* Format: "227 Entering Passive Mode (A,D,D,R,PO,RT)" */ 475 476 /* Return if data length is too short. */ 477 if (dlen < 17) 478 return (0); 479 480 addr = port = octet = 0; 481 482 state = -3; 483 for (i = 0; i < dlen; i++) { 484 ch = sptr[i]; 485 switch (state) { 486 case -3: 487 if (ch == '2') 488 state++; 489 else 490 return (0); 491 break; 492 case -2: 493 if (ch == '2') 494 state++; 495 else 496 return (0); 497 break; 498 case -1: 499 if (ch == '7') 500 state++; 501 else 502 return (0); 503 break; 504 505 case 0: 506 if (ch == '(') 507 state++; 508 break; 509 case 1: 510 case 3: 511 case 5: 512 case 7: 513 case 9: 514 case 11: 515 if (isdigit(ch)) { 516 octet = ch - '0'; 517 state++; 518 } else 519 return (0); 520 break; 521 case 2: 522 case 4: 523 case 6: 524 case 8: 525 if (isdigit(ch)) 526 octet = 10 * octet + ch - '0'; 527 else if (ch == ',') { 528 addr = (addr << 8) + octet; 529 state++; 530 } else 531 return (0); 532 break; 533 case 10: 534 case 12: 535 if (isdigit(ch)) 536 octet = 10 * octet + ch - '0'; 537 else if (ch == ',' || (state == 12 && ch == ')')) { 538 port = (port << 8) + octet; 539 state++; 540 } else 541 return (0); 542 break; 543 } 544 } 545 546 if (state == 13) { 547 la->true_port = port; 548 la->true_addr.s_addr = htonl(addr); 549 return (1); 550 } else 551 return (0); 552 } 553 554 static int 555 ParseFtp229Reply(struct libalias *la, char *sptr, int dlen) 556 { 557 char ch, delim; 558 int i, state; 559 u_short port; 560 561 /* Format: "229 Entering Extended Passive Mode (|||PORT|)" */ 562 563 /* Return if data length is too short. */ 564 if (dlen < 11) 565 return (0); 566 567 port = 0; 568 delim = '|'; /* XXX gcc -Wuninitialized */ 569 570 state = -3; 571 for (i = 0; i < dlen; i++) { 572 ch = sptr[i]; 573 switch (state) { 574 case -3: 575 if (ch == '2') 576 state++; 577 else 578 return (0); 579 break; 580 case -2: 581 if (ch == '2') 582 state++; 583 else 584 return (0); 585 break; 586 case -1: 587 if (ch == '9') 588 state++; 589 else 590 return (0); 591 break; 592 593 case 0: 594 if (ch == '(') 595 state++; 596 break; 597 case 1: 598 delim = ch; 599 state++; 600 break; 601 case 2: 602 case 3: 603 if (ch == delim) 604 state++; 605 else 606 return (0); 607 break; 608 case 4: 609 if (isdigit(ch)) { 610 port = ch - '0'; 611 state++; 612 } else 613 return (0); 614 break; 615 case 5: 616 if (isdigit(ch)) 617 port = 10 * port + ch - '0'; 618 else if (ch == delim) 619 state++; 620 else 621 return (0); 622 break; 623 case 6: 624 if (ch == ')') 625 state++; 626 else 627 return (0); 628 break; 629 } 630 } 631 632 if (state == 7) { 633 la->true_port = port; 634 return (1); 635 } else 636 return (0); 637 } 638 639 static void 640 NewFtpMessage(struct libalias *la, struct ip *pip, 641 struct alias_link *lnk, 642 int maxpacketsize, 643 int ftp_message_type) 644 { 645 struct alias_link *ftp_lnk; 646 647 /* Security checks. */ 648 if (pip->ip_src.s_addr != la->true_addr.s_addr) 649 return; 650 651 if (la->true_port < IPPORT_RESERVED) 652 return; 653 654 /* Establish link to address and port found in FTP control message. */ 655 ftp_lnk = FindUdpTcpOut(la, la->true_addr, GetDestAddress(lnk), 656 htons(la->true_port), 0, IPPROTO_TCP, 1); 657 658 if (ftp_lnk != NULL) { 659 int slen, hlen, tlen, dlen; 660 struct tcphdr *tc; 661 662 #ifndef NO_FW_PUNCH 663 /* Punch hole in firewall */ 664 PunchFWHole(ftp_lnk); 665 #endif 666 667 /* Calculate data length of TCP packet */ 668 tc = (struct tcphdr *)ip_next(pip); 669 hlen = (pip->ip_hl + tc->th_off) << 2; 670 tlen = ntohs(pip->ip_len); 671 dlen = tlen - hlen; 672 673 /* Create new FTP message. */ 674 { 675 char stemp[MAX_MESSAGE_SIZE + 1]; 676 char *sptr; 677 u_short alias_port; 678 u_char *ptr; 679 int a1, a2, a3, a4, p1, p2; 680 struct in_addr alias_address; 681 682 /* Decompose alias address into quad format */ 683 alias_address = GetAliasAddress(lnk); 684 ptr = (u_char *) & alias_address.s_addr; 685 a1 = *ptr++; 686 a2 = *ptr++; 687 a3 = *ptr++; 688 a4 = *ptr; 689 690 alias_port = GetAliasPort(ftp_lnk); 691 692 switch (ftp_message_type) { 693 case FTP_PORT_COMMAND: 694 case FTP_227_REPLY: 695 /* Decompose alias port into pair format. */ 696 ptr = (char *)&alias_port; 697 p1 = *ptr++; 698 p2 = *ptr; 699 700 if (ftp_message_type == FTP_PORT_COMMAND) { 701 /* Generate PORT command string. */ 702 sprintf(stemp, "PORT %d,%d,%d,%d,%d,%d\r\n", 703 a1, a2, a3, a4, p1, p2); 704 } else { 705 /* Generate 227 reply string. */ 706 sprintf(stemp, 707 "227 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n", 708 a1, a2, a3, a4, p1, p2); 709 } 710 break; 711 case FTP_EPRT_COMMAND: 712 /* Generate EPRT command string. */ 713 sprintf(stemp, "EPRT |1|%d.%d.%d.%d|%d|\r\n", 714 a1, a2, a3, a4, ntohs(alias_port)); 715 break; 716 case FTP_229_REPLY: 717 /* Generate 229 reply string. */ 718 sprintf(stemp, "229 Entering Extended Passive Mode (|||%d|)\r\n", 719 ntohs(alias_port)); 720 break; 721 } 722 723 /* Save string length for IP header modification */ 724 slen = strlen(stemp); 725 726 /* Copy modified buffer into IP packet. */ 727 sptr = (char *)pip; 728 sptr += hlen; 729 strncpy(sptr, stemp, maxpacketsize - hlen); 730 } 731 732 /* Save information regarding modified seq and ack numbers */ 733 { 734 int delta; 735 736 SetAckModified(lnk); 737 tc = (struct tcphdr *)ip_next(pip); 738 delta = GetDeltaSeqOut(tc->th_seq, lnk); 739 AddSeq(lnk, delta + slen - dlen, pip->ip_hl, 740 pip->ip_len, tc->th_seq, tc->th_off); 741 } 742 743 /* Revise IP header */ 744 { 745 u_short new_len; 746 747 new_len = htons(hlen + slen); 748 DifferentialChecksum(&pip->ip_sum, 749 &new_len, 750 &pip->ip_len, 751 1); 752 pip->ip_len = new_len; 753 } 754 755 /* Compute TCP checksum for revised packet */ 756 tc->th_sum = 0; 757 #ifdef _KERNEL 758 tc->th_x2 = 1; 759 #else 760 tc->th_sum = TcpChecksum(pip); 761 #endif 762 } else { 763 #ifdef LIBALIAS_DEBUG 764 fprintf(stderr, 765 "PacketAlias/HandleFtpOut: Cannot allocate FTP data port\n"); 766 #endif 767 } 768 } 769